Introduction to DMVPN

DMVPN (Dynamic Multipoint VPN) is a routing technique we can use to build a VPN network with multiple sites without having to statically configure all devices. It’s a “hub and spoke” network where the spokes will be able to communicate with each other directly without having to go through the hub. Encryption is supported through IPsec which makes DMVPN a popular choice for connecting different sites using regular Internet connections. It’s a great backup or alternative to private networks like MPLS VPN.

There are four pieces to the DMVPN puzzle:

Multipoint GRE (mGRE)

NHRP (Next Hop Resolution Protocol)

Routing (RIP, EIGRP, OSPF, BGP, etc.)

IPsec (not required but recommended)

Let me explain these different topics…

Multipoint GRE

Our “regular” GRE tunnels are point-to-point and don’t scale well. For example, let’s say we have a company network with some sites that we want to connect to each other using regular Internet connections:

Above we have one router that represents the HQ and there are four branch offices. Let’s say that we have the following requirements:

Each branch office has to be connected to the HQ.

Traffic between Branch 1 and Branch 2 has to be tunneled directly.

Traffic between Branch 3 and Branch 4 has to be tunneled directly.

To accomplish this we will have to configure a bunch of GRE tunnels which will look like this:

Thing will get messy quickly…we have to create multiple tunnel interfaces, set the source/destination IP addresses etc. It will work but it’s not a very scalable solution. Multipoint GRE, as the name implies allows us to have multiple destinations. When we use them, our picture could look like this:

When we use GRE Multipoint, there will be only one tunnel interface on each router. The HQ for example has one tunnel with each branch office as its destination. Now you might be wondering, what about the requirement where branch office 1/2 and branch office 3/4 have a direct tunnel?

Right now we have a hub and spoke topology. The cool thing about DMVPN is that we use multipoint GRE so we can have multiple destinations. When we need to tunnel something between branch office 1/2 or 3/4, we automatically “build” new tunnels:

When there is traffic between the branch offices, we can tunnel it directly instead of sending it through the HQ router. This sounds pretty cool but it introduces some problems…

When we configure point-to-point GRE tunnels we have to configure a source and destination IP address that are used to build the GRE tunnel. When two branch routers want to tunnel some traffic, how do they know what IP addresses to use? Let me show you what I’m talking about:

Above we have our HQ and two branch routers, branch1 and branch2. Each router is connected to the Internet and has a public IP address:

HQ: 1.1.1.1

Branch1: 2.2.2.2

Branch2: 3.3.3.3

On the GRE multipoint tunnel interface we use a single subnet with the following private IP addresses:

HQ: 192.168.1.1

Branch1: 192.168.1.2

Branch2: 192.168.1.3

Let’s say that we want to send a ping from branch1’s tunnel interface to the tunnel interface of branch2. Here’s what the GRE encapsulated IP packet will look like:

The “inner” source and destination IP addresses are known to use, these are the IP address of the tunnel interfaces. We encapsulate this IP packet, put a GRE header in front of it and then we have to fill in the “outer” source and destination IP addresses so that this packet can be routed on the Internet. The branch1 router knows it’s own public IP address but it has no clue what the public IP address of branch2 is…

To fix this problem, we need some help from another protocol…

NHRP (Next Hop Resolution Protocol)

We need something that helps our branch1 router figure out what the public IP address is of the branch2 router, we do this with a protocol called NHRP (Next Hop Resolution Protocol). Here’s an explanation of how NHRP works:

One router will be the NHRP server.

All other routers will be NHRP clients.

NHRP clients register themselves with the NHRP server and report their public IP address.

The NHRP server keeps track of all public IP addresses in its cache.

When one router wants to tunnel something to another router, it will request the NHRP server for the public IP address of the other router.

Since NHRP uses this server and clients model, it makes sense to use a hub and spoke topology for multipoint GRE. Our hub router will be the NHRP server and all other routers will be the spokes.

Here’s an an illustration of how NHRP works with multipoint GRE:

Above we have two spoke routers (NHRP clients) which establish a tunnel to the hub router. Later once we look at the configurations you will see that the destination IP address of the hub router will be statically configured on the spoke routers. The hub router will dynamically accept spoke routers. The routers will use a NHRP registration request message to register their public IP addresses to the hub.

The hub, our NHRP server will create a mapping between the public IP addresses and the IP addresses of the tunnel interfaces.

A few seconds later, spoke1 decides that it wants to send something to spoke2. It needs to figure out the destination public IP address of spoke2 so it will send a NHRP resolution request, asking the Hub router what the public IP address of spoke 2 is.

The Hub router checks its cache, finds an entry for spoke 2 and sends the NHRP resolution reply to spoke1 with the public IP address of spoke2.

Spoke1 now knows the destination public IP address of spoke2 and is able to tunnel something directly. This is great, we only required the hub to figure out what the public IP address is and all traffic can be sent from spoke to spoke directly.

In NHRP terminology , you’ll see that we don’t talk about “public IP addresses” but NBMA addresses. NHRP is an old protocol (the RFC is from 1998) which was originally developed for NBMA networks like frame-relay or ATM.

When we talk about DMVPN, we often refer to an underlay and overlay network:

The underlay network is the network we use for connectivity between the different routers, for example the Internet.

The overlay network is our private network with GRE tunnels.

NHRP is a bit similar to ARP or frame-relay inverse ARP. Instead of mapping L2 to L3 information, we are now mapping a tunnel IP address to a NBMA IP address.

DMVPN has different versions which we call phases, there’s three of them:

Phase 1

Phase 2

Phase 3

Let me give you an overview of the three phases:

Phase 1

With phase 1 we use NHRP so that spokes can register themselves with the hub. The hub is the only router that is using a multipoint GRE interface, all spokes will be using regular point-to-point GRE tunnel interfaces. This means that there will be no direct spoke-to-spoke communication, all traffic has to go through the hub!

Since our traffic has to go through the hub, our routing configuration will be quite simple. Spoke routers only need a summary or default route to the hub to reach other spoke routers.

Phase 2

The disadvantage of phase 1 is that there is no direct spoke to spoke tunnels. In phase 2, all spoke routers use multipoint GRE tunnels so we do have direct spoke to spoke tunneling. When a spoke router wants to reach another spoke, it will send an NHRP resolution request to the hub to find the NBMA IP address of the other spoke.

There are two requirements to make spoke to spoke tunnels work:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.

Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!

The different versions are like an evolution of DMVPN. We don’t really use phase 1 anymore unless you have a really good reason why you want to force all traffic through the hub (security perhaps?). Otherwise, it’s more effective to allow spoke-to-spoke traffic.

Both phase 2 and 3 allow spoke-to-spoke traffic, the advantage of phase 3 is that we use the “shortcuts” so you don’t need specific entries anymore in the routing tables of the spoke routers. I can’t think of any advantages right now that phase 2 has over phase 3 so if you implement this, yo

This is a very good question. Looking at the process in more detail, when using Phase 3.

Initially, (and that is the key word) all spoke to spoke packets are switched across the hub. In order for a spoke to learn about the true NBMA IP address of another spoke, the NHRP redirect message is used.

So when a hub receives an IP packet inbound on its interface and switches it out of the same interface, it sends a special NHRP redirect message to the source indicating that this is a suboptimal path. It should look for a better way using NHRP resolution.

New Lessons

Testimonials

Pedagogy & Deep Understanding of Networking

I’ve fallen in love with Rene’s materials. I was looking for an online course to start my CCNP R&S. Then I went like: Who's better than this guy playing that easy with networking principles and Cisco devices and who truly knows the art of teaching networking? I’m enjoying so far all valuable content of NetworkLessons.com and above all, Rene’s teachings are helping me to move smoothly on my journey towards my CCNP R&S certification. Rene in an expert in pedagogy and I recommend his courses to everyone who want to go deep with networking principles.

Serges AvodagbeNetwork EngineerMay 8, 2017

Great Work!

It's like a spoon feeding type of tutorial. Thanks!

Don DrujaNetwork EngineerNovember 10, 2015

In a League of Its Own!

I will say to anyone, without reservation and regardless of his/her goal in their studies; look no more! You've found it! I've only lately been fortunate enough to have Networklessons.com as my guide. If Cisco had a rule which said I could use ONLY ONE resource for my studies, it would be Networklessons.com. Rene's unrelenting effort to "out-do himself", and his dedication to the individual career growth of each member is a testament to what it takes to be a true professional and an asset to this industry.

Bridget EdwardsNetwork EngineerDecember 15, 2015

Great Site!

I really appreciate Rene's ability to clearly explain complicated material and the examples he provides. NetworkLessons.com is a great resource for me and I come here first when I have a Cisco-related task to learn. Thanks Rene!

Sean CasonSenior Network AdministratorMay 9, 2016

The Best Cisco Training Materials

NetworkLessons.com is the best Cisco training resource I have ever seen. Their lessons are very legible, straight to the point and accurate which are very helpful to pass different Cisco certification exams. And help you out for real world scenarios as well. Keep on going NetworkLessons.com!

Azm Uddin Network EngineerMarch 15, 2017

Highly Recommended

The lessons are well structured, easy to understand, clear and very thorough. I appreciate the diagrams (pictures work great for me) and the example configs. It's very easy to copy the provided configurations into your home lab and play with the exact scenarios they explain to you. I would recommend NetworkLessons.com to anyone. I went for the yearly membership and only had it for 2 months and feel it had already paid off!

Dan MassaNetwork EngineerApril 20, 2018

Best Learning Site Ever

Lessons are precise, accurate, thorough and complete. And are written to be understood by everyone at every level. Can't say thank you enough for helping me learn so fast! It would take 10 times longer if I learn from other sources. Many Thanks!

Hoan NguyenNetwork EngineerDecember 15, 2016

I Only Wish I Knew Before…

I am very impressed with the way difficult networking concepts are easily explained by Rene in his lessons. I have no doubt in saying that signing up for membership was the best investment I have spent on learning networking. I only wish I would have started reading NetworkLessons.com long before!

Dave AbhishekNetwork ConsultingAugust 23, 2016

Fantastic

I found NetworkLessons.com when I was trying to find a solution to understand some networking concepts. René is doing a fantastic job explaining complex subjects in a simple way. I really recommend everyone to become a member. NetworkLessons.com gives valuable advice to become CCIE. Thank you so much!

Juliano V. LopesTechnical DesignerApril 3, 2018

Place of Excellent Knowledge

NetworkLessons.com is a really great place for learning networking. Complex topics are explained in a simple way with lots of examples, packet captures and figures. You can easily recreate the scenarios via any network simulation and practice after every lesson.

Viktor BorisovCommunications EngineerMarch 15, 2017

A Godsend!

NetworkLessons.com explains everything in such an understandable way. For years I've been reading Cisco Press books and websites over and over to grasp concepts, but on Networklessons.com, I grasp concepts immediately and retain them better. Thank you!

Jeremi RichardsonNetwork EngineerJune 7, 2017

Useful & Easy

What I like about NetworkLessons.com, is it offers the ability to go back to the fundamentals of networking. Which always come up, even if I am working on more complex technologies. The simplified nature of the labs of NetworkLessons.com makes rebuilding them a breeze. I also like that new technologies and lessons are constantly being added.